Safety
information
Product
information
Mechanical
installation
Electrical
installation
Getting
started
Basic
parameters
Running the
motor
Optimization
NV Media Card
Operation
Building
Automation
Advanced
parameters
Technical
data
Diagnostics
UL listing
information
HVAC Drive H300 109
Issue Number: 3
4.15 Safe Torque Off (STO)
The Safe Torque Off function provides a means for preventing the drive
from generating torque in the motor, with a very high level of integrity. It
is suitable for incorporation into a safety system for a machine. It is also
suitable for use as a conventional drive enable input.
The safety function is active when the STO input is in the logic-low state
as specified in the control terminal specification. The function is defined
according to EN 61800-5-2 and IEC 61800-5-2 as follows. (In these
standards a drive offering safety-related functions is referred to as a
PDS(SR)):
‘Power, that can cause rotation (or motion in the case of a linear motor),
is not applied to the motor. The PDS(SR) will not provide energy to the
motor which can generate torque (or force in the case of a linear motor)’.
This safety function corresponds to an uncontrolled stop in accordance
with stop category 0 of IEC 60204-1.
The Safe Torque Off function makes use of the special property of an
inverter drive with an induction motor, which is that torque cannot be
generated without the continuous correct active behavior of the inverter
circuit. All credible faults in the inverter power circuit cause a loss of
torque generation.
The Safe Torque Off function is fail-safe, so when the Safe Torque Off
input is disconnected the drive will not operate the motor, even if a
combination of components within the drive has failed. Most component
failures are revealed by the drive failing to operate. Safe Torque Off is
also independent of the drive firmware. This meets the requirements of
the following standards, for the prevention of operation of the motor.
Machinery Applications
The Safe Torque Off Function has been independently assessed by
Notified Body, TüV Rheinland for use as a safety component of a
machine:
Prevention of unintended motor operation: The safety function "Safe
Torque Off" can be used in applications up to Cat 4. PL e according to
EN ISO 13849-1, SIL 3 according to EN 61800-5-2/ EN 62061/ IEC
61508 and in lift applications according to EN 81-1 and EN81-2
This certificate is available for download from the TüV Rheinland website
at: http://www.tuv.com
Safety Parameters as verified by TüV Rheinland:
According to IEC 61508-1 to 07 / EN 61800-5-2 / EN 62061
According to EN ISO 13849-1
Logic levels comply with IEC 61131-2:2007 for type 1 digital inputs rated
at 24 V. Maximum level for logic low to achieve SIL3 and PL e 5 V and
0.5 mA.
UL Approval
The Safe Torque Off function has been independently assessed by
Underwriters Laboratories (UL). The on-line certification (yellow card)
reference is: FSPC.E171230.
Safety Parameters as verified by UL:
According to IEC 61508-1 to 7
According to EN ISO 13849-1
Note on response time of Safe Torque Off, and use with safety
controllers with self-testing outputs:
Safe Torque Off has been designed to have a response time of greater
than 1 ms so that it is compatible with safety controllers whose outputs
are subject to a dynamic test with a pulse width not exceeding 1 ms.
Note on the use of servo motors, other permanent-magnet motors,
reluctance motors and salient-pole induction motors:
When the drive is disabled through Safe Torque Off, a possible (although
highly unlikely) failure mode is for two power devices in the inverter
circuit to conduct incorrectly.
This fault cannot produce a steady rotating torque in any AC motor. It
produces no torque in a conventional induction motor with a cage rotor. If
the rotor has permanent magnets and/or saliency, then a transient
alignment torque may occur. The motor may briefly try to rotate by up to
180° electrical, for a permanent magnet motor, or 90° electrical, for a
salient pole induction motor or reluctance motor. This possible failure
mode must be allowed for in the machine design.
Type examination
certificate No.
Date of issue Models
01.205/5270.01/14 2014-11-11 H300
Type Value
Percentage of SIL
3 allowance
Proof test interval 20 years
High demand or a continuous mode of operation
PFH (1/h)
4.21 x 10
-11
1/h
<1 %
Low demand mode of operation (not EN 61800-5-2)
PFDavg
3.68 x 10
-6
< 1 %
Type Value Classification
Category 4
Performance Level (PL) e
MTTF
D
>2500 years High
DC
avg
≥99 % High
Mission time 20 years
Type Value
Safety Rating SIL 3
SFF > 99 %
PFH (1/h)
4.43 x 10
-10
1/h
(<1 % of SIL 3 allowance)
HFT 1
Beta Factor 2 %
CFF Not applicable
Type Value
Category 4
Performance Level (PL) e
MTTF
D
2574 years
Diagnostic coverage High
CCF 65
The design of safety-related control systems must only be
done by personnel with the required training and experience.
The Safe Torque Off function will only ensure the safety of a
machine if it is correctly incorporated into a complete safety
system. The system must be subject to a risk assessment to
confirm that the residual risk of an unsafe event is at an
acceptable level for the application.
Safe Torque Off inhibits the operation of the drive, this
includes inhibiting braking. If the drive is required to provide
both braking and Safe Torque Off in the same operation (e.g.
for emergency stop) then a safety timer relay or similar device
must be used to ensure that the drive is disabled a suitable
time after braking. The braking function in the drive is
provided by an electronic circuit which is not fail-safe. If
braking is a safety requirement, it must be supplemented by
an independent fail-safe braking mechanism.
To Next Page